2022-08-16 17:22:34 |
Scott Moser |
bug |
|
|
added bug |
2022-08-16 17:22:34 |
Scott Moser |
attachment added |
|
README documenting how I have tested this. https://bugs.launchpad.net/bugs/1986692/+attachment/5609151/+files/README.md.txt |
|
2022-08-16 17:24:49 |
Scott Moser |
attachment added |
|
tarball of gist with recreate https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1986692/+attachment/5609153/+files/jammy-snakeoil-ovmf-bug.tar.xz |
|
2022-08-16 17:25:17 |
Scott Moser |
bug |
|
|
added subscriber dann frazier |
2022-08-17 19:55:03 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Jammy |
|
2022-08-17 19:55:03 |
Sergio Durigan Junior |
bug task added |
|
edk2 (Ubuntu Jammy) |
|
2022-08-17 19:55:07 |
Sergio Durigan Junior |
edk2 (Ubuntu Jammy): status |
New |
Triaged |
|
2022-08-17 19:55:16 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Ubuntu Server |
2022-08-17 20:05:21 |
dann frazier |
edk2 (Ubuntu): assignee |
|
dann frazier (dannf) |
|
2022-08-17 20:06:06 |
dann frazier |
edk2 (Ubuntu): status |
New |
In Progress |
|
2022-08-18 16:29:58 |
Scott Moser |
description |
It appears that the OVMF_VARS_4M.snakeoil files are not correctly contain the snakeoil keys.
I signed an EFI executable with sbsign using PkKek-1-snakeoil.pem.
I attempted to boot a uefi qemu system using OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.snakeoil.fd and then execute that EFI application. It resulted in:
Command Error Status: Access Denied
This general process works fine with Ubuntu 20.04 files, but fails with 22.04.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: ovmf 2022.02-3 [modified: usr/share/OVMF/OVMF_VARS.fd]
ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39
Uname: Linux 5.15.0-46-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Tue Aug 16 12:45:27 2022
Dependencies:
InstallationDate: Installed on 2020-01-15 (943 days ago)
InstallationMedia: Ubuntu 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805)
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: edk2
UpgradeStatus: Upgraded to jammy on 2020-04-17 (851 days ago) |
It appears that the OVMF_VARS_4M.snakeoil files do not correctly contain the snakeoil keys.
I signed an EFI executable with sbsign using PkKek-1-snakeoil.pem.
I attempted to boot a uefi qemu system using OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.snakeoil.fd and then execute that EFI application. It resulted in:
Command Error Status: Access Denied
This general process works fine with Ubuntu 20.04 files, but fails with 22.04.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: ovmf 2022.02-3 [modified: usr/share/OVMF/OVMF_VARS.fd]
ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39
Uname: Linux 5.15.0-46-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Tue Aug 16 12:45:27 2022
Dependencies:
InstallationDate: Installed on 2020-01-15 (943 days ago)
InstallationMedia: Ubuntu 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805)
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: edk2
UpgradeStatus: Upgraded to jammy on 2020-04-17 (851 days ago) |
|
2022-09-08 01:40:32 |
Launchpad Janitor |
edk2 (Ubuntu): status |
In Progress |
Fix Released |
|
2022-09-13 22:30:14 |
dann frazier |
edk2 (Ubuntu Jammy): status |
Triaged |
In Progress |
|
2022-09-13 22:30:17 |
dann frazier |
edk2 (Ubuntu Jammy): assignee |
|
dann frazier (dannf) |
|
2022-09-13 22:42:00 |
dann frazier |
description |
It appears that the OVMF_VARS_4M.snakeoil files do not correctly contain the snakeoil keys.
I signed an EFI executable with sbsign using PkKek-1-snakeoil.pem.
I attempted to boot a uefi qemu system using OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.snakeoil.fd and then execute that EFI application. It resulted in:
Command Error Status: Access Denied
This general process works fine with Ubuntu 20.04 files, but fails with 22.04.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: ovmf 2022.02-3 [modified: usr/share/OVMF/OVMF_VARS.fd]
ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39
Uname: Linux 5.15.0-46-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Tue Aug 16 12:45:27 2022
Dependencies:
InstallationDate: Installed on 2020-01-15 (943 days ago)
InstallationMedia: Ubuntu 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805)
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: edk2
UpgradeStatus: Upgraded to jammy on 2020-04-17 (851 days ago) |
[Impact]
The "snakeoil" keys are not properly enrolled in the snakeoil images, making them useless for purpose. These are images preconfigured to trust an included (insecure) key/cert useful for certain testing.
[Test Case]
A regression test has been added as an autopkgtest.
[What Could Go Wrong]
Some refactoring was required to generate these images correctly, and that could impact how keys are enrolled in other images. autopkgtests are in place to verify those - but if those tests were to miss something, we could potentially regress an existing VM boot configuration. |
|
2022-09-13 22:43:34 |
dann frazier |
description |
[Impact]
The "snakeoil" keys are not properly enrolled in the snakeoil images, making them useless for purpose. These are images preconfigured to trust an included (insecure) key/cert useful for certain testing.
[Test Case]
A regression test has been added as an autopkgtest.
[What Could Go Wrong]
Some refactoring was required to generate these images correctly, and that could impact how keys are enrolled in other images. autopkgtests are in place to verify those - but if those tests were to miss something, we could potentially regress an existing VM boot configuration. |
[Impact]
The "snakeoil" keys are not properly enrolled in the snakeoil images, making them useless for purpose. These are images preconfigured to trust an included (insecure) key/cert, which is useful for testing boot artifacts in a non-prod Secure Boot environment.
[Test Case]
A regression test has been added as an autopkgtest.
[What Could Go Wrong]
Some refactoring was required to generate these images correctly, and that could impact how keys are enrolled in other images. autopkgtests are in place to verify those - but if those tests were to miss something, we could potentially regress an existing VM boot configuration. |
|
2022-10-17 12:27:08 |
Timo Aaltonen |
edk2 (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2022-10-17 12:27:11 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-10-17 12:27:13 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2022-10-17 12:27:17 |
Timo Aaltonen |
tags |
amd64 apport-bug jammy wayland-session |
amd64 apport-bug jammy verification-needed verification-needed-jammy wayland-session |
|
2022-10-17 14:24:30 |
Scott Moser |
tags |
amd64 apport-bug jammy verification-needed verification-needed-jammy wayland-session |
amd64 apport-bug jammy verification-done-jammy verification-needed wayland-session |
|
2022-10-25 08:24:42 |
Launchpad Janitor |
edk2 (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2022-10-25 08:24:51 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|